from the when-six-warrants-is-a-constellation-of-records dept

The EFF is taking the San Bernardino County Sheriff's Department to court. The dispute centers on Stingray warrants possessed by the agency. The Sheriff's Department likely holds more of these records than any other agency in the state. According to the Desert Sun's investigation -- based on state law-mandated reporting on electronic searches, San Bernardino residents were 20 times more likely to be subjected to an electronic search than residents elsewhere in state.

Even more troubling, a lot of these searches -- including Stingray deployments -- were performed by the department when it had no idea who it was looking for or whose devices it was searching.

If the situation is deemed an emergency, the judge can grant law enforcement the option to delay notification for up to 90 days.

A 90-day delay is also granted in cases when the identity of the person they are investigating is not known by the investigating agency.

[...]

Warrants are only reported to the California Department of Justice if the warrant receives the 90-day delay for notification. The department does not include records of warrants for electronic property, if the target is notified immediately.

Of the more than 700 warrants reported to the California Department of Justice by the San Bernardino County Sheriff’s Department, only 47 received emergency status, meaning 93 percent of their warrants were granted to investigate people whose identity was unknown to the department.

The department did not provide an explanation for why they are investigating the digital property of so many people before identifying them.

The numerous searches -- which apparently include a large number of fishing expeditions -- is an ongoing concern, especially with California's more stringent privacy laws in play. The Sheriff's Department has been a fan of Stingrays for a long time, but hasn't been very forthcoming about its deployments. This dishonesty extends to judges, who were handed pen register order requests that disguised the true nature of the search. The "insert probable cause" boilerplate pen register request obtained by Cyrus Farivar of Ars Technica suggests invasive searches were performed with plug-and-play paperwork that both laundered the evidence and utilized one-size-fits-all phrasing when seeking judicial approval.

What the EFF is seeking is a very small subset of Stingray warrants possessed by the Sheriff's Department. It's attempting to obtain copies of six warrants specifically identified by the state's Department of Justice in mandated publications. The search for these documents by the Sheriff's Department should be made even easier thanks to the inclusion of a noticeable typo.

EFF determined that the county has used cell-site simulators 231 times in the last year and filed a request under the California Public Records Act in August to obtain search warrant information for six specific searches that were made public by the DOJ. Each of the searches included authorization for the use of “cell-site stimulators” [sic], an apparent misspelling of the cell-phone tracking technology in the records submitted by San Bernardino to the DOJ.

EFF’s public records request sought court case numbers associated with the search warrants, which would enable researchers to locate court records like affidavits justifying the need for a warrant and other information vital to assessing whether police are following the law and their own policies when obtaining warrants. The request contained detailed information about each warrant, made public by the DOJ, such as the nature of the warrants, the precise start and end dates of the warrants and verbatim quotes about the grounds for each warrant.

The Sheriff's Department responded to this hyperspecific records request with more government agency boilerplate. It claimed the request was "vague" and "overly broad" and failed to describe an "identifiable record." This deliberate obtuseness will now have to be defended in court. Considering the request, the EFF's arguments aren't that difficult to make. From the filing [PDF]:

In an attempt to learn about Defendants’ use of these devices, EFF sent a request for records relating to six cell site simulator warrants that precisely identified each warrant using the information on the Department of Justice’s OpenJustice website, including the date range of the authorized search, the nature of the investigation, the items to be searched for, and the exact date and time Defendants electronically provided information about them to the Department of Justice.

Defendants refused to comply with the request, claiming that it failed to reasonably describe the records at issue and that the records are exempt from disclosure as records of an investigation under Government Code § 6254(f).

Neither of these is a legitimate justification for failing to provide the records:

The request more than reasonably described the target records. In fact, it uniquely identified the warrants in question, providing the exact time frame covered by the warrant, the exact date and time the Defendants provided information about the warrants to the Department of Justice, and other identifying information. Defendants’ claim in this regard is particularly weak because their own policy – which state law requires them to adopt and make public – requires their personnel to obtain high-level approval for, and then maintain a log of, all warrants like those here at issue. This log must contain the dates that the cell site simulator was used, which would mirror or be contained within the time frame covered by the warrant, and so would allow Defendants to easily identify and locate the requested warrants.

The EFF also points out the Sheriff's Department can't throw a blanket exception over court records -- which are presumptively public. In addition, the California DOJ has specifically instructed the EFF to obtain documents (like these warrants) listed on its OpenJustice website directly from the agency that created them.

Having been forced into openness by legislation, the Sheriff's Department is hoping to maintain some level of opacity even as it continues its record-setting pace for electronic searches of individuals it can even identify. It shouldn't take long for the court to decide the Sheriff's claims about vagueness and broadness are ridiculous. Hopefully, the court won't decide presumptively-public documents like court orders and warrant affidavits can be withheld just because a cop shop says they might reveal cop stuff.

from the also-deployed:-parallel-construction dept

The Florida Court of Appeals has upheld a suppression order for evidence obtained through the use of a Stingray device. This decision draws the line between third-party info and info gathered directly by the government, even if the info collected was roughly the same. (h/t Cyrus Farivar)

In the course of investigating an armed robbery that led to the killing of one of the robbery victims, law enforcement sought assistance from the suspect's cell service provider, asking for cell site location info and the placement of a trap-and-trace on the cellphone itself. The following comes from the appeals court decision [PDF]:

A judge signed the “CSLI Order,” which required the service provider to disclose “all cell-site activations and sectors for all incoming and outgoing calls/communications . . . call detail location records, ‘angle from the tower’ data, including contemporaneous (real-time) with these communications, and historical calls/communications detail records.” The judge also signed an order requiring the service provider to install a pen register and trap and trace device on the Defendant’s phone and transmit the information collected to the Broward Sheriff’s Office (the “Trap and Trace Order”).

Later, the State applied for a search warrant of a Fort Lauderdale residence. The affidavit filed in support of the warrant stated that “[m]obile tracking was activated on [the Defendant’s] cell phone pursuant to a lawful court order” and that the Defendant’s phone was “placed specifically” at the residence and had been “stationary overnight within this residence for several concurrent nights.” The search warrant was granted.

Law enforcement testified the cell provider could only provide "tower information," rather than precise GPS location. To make up for this lack of specificity, investigators decided to fire up a Stingray to pinpoint the location of the suspect's phone. This extra step -- performed without a warrant -- ultimately resulted in the suppression of evidence by the trial court. The government appealed, citing the subpoenas and the Third Party Doctrine. The state appeals court disagrees.

Combining the ruling on cellphone searches (Riley) and the invasiveness of new technology (Kyllo) [along with the recent Carpenter decision], the court comes to this conclusion:

Together these cases hold that, without a warrant, the government cannot: use technology to view information not visible to the naked eye, attach a device to property to monitor your location, search a cell phone in your possession without a warrant, or obtain real-time location information from the cell carrier.

With a cell-site simulator, the government does more than obtain data held by a third party. The government surreptitiously intercepts a signal that the user intended to send to a carrier’s cell-site tower or independently pings a cell phone to determine its location. Not only that, a cell-site simulator also intercepts the data of other cell phones in the area, including the phones of people not being investigated.

If a warrant is required for the government to obtain historical cell-site information voluntarily maintained and in the possession of a third party, see Carpenter, 138 S. Ct. at 2221, we can discern no reason why a warrant would not be required for the more invasive use of a cell-site simulator.

The court also notes law enforcement -- in deploying a Stingray -- went far beyond what was actually authorized in the judicial orders it obtained.

The CSLI Order did not authorize the State to act independently. But the sergeant and the Defendant’s expert testified that the information maintained by the service provider could not identify the exact location of the Defendant’s phone. So the State resorted to other means. In other words, the CSLI Order authorized indirect government surveillance.

But the State could not obtain the information it required through the authorized means. So the State conducted direct government surveillance by using a cell-site simulator. And it did so without a warrant. Based on controlling Supreme Court authority, the court correctly suppressed the evidence obtained as a result of the State’s warrantless actions.

The end result is suppression of evidence gathered with the Stingray device. Since it was this device that pinpointed the location of the suspect's cellphone, the evidence obtained from the search of the residence the phone was located at is going to disappear as well. And that's evidence the government likely can't do without. It includes three guns, a mask, ammunition, and a stun gun -- all of which likely played a part in the armed robbery.

That this happened nearly five years ago makes little difference. It may have preceded the Carpenter ruling that created a privacy right for cell site location info, but the other Supreme Court precedent on cellphone searches and the use of invasive technology (like thermal imaging) to cross the threshold of people's homes without ever setting foot inside predates the warrantless Stingray deployment.

And a Stingray does exactly that: it forces phones -- wherever located -- to connect to it and give up location data and identifying info. It's something law enforcement can't obtain without electronic coercement and it's far more precise than the coarse location info it can obtain without a warrant from cellphone providers. Of course, the Carpenter decision changed the math on location info, so if law enforcement really wants to locate a phone, it's now better off seeking warrants for Stingray deployment than approaching third parties for the same data if it's looking for something more "real time."

from the gotta-risk-lives-to-save-lives-or-whatever dept

The FBI has admitted -- albeit not that publicly -- that Stingray devices disrupt phone service. Spoofing a cell tower has negative effects on innocent phone users as the device plays man-in-the-middle while trying to locate the targeted device. An unsealed document from a criminal prosecution and assertions made in warrant affidavits alleging "minimal" disruption are all we have to go on, at least in terms of official statements.

Supposedly, Stingrays are supposed to allow 911 service to continue uninterrupted. But it's hard to square that with the fact every phone in the device's range is forced to connect to the Stingray first before being allowed to connect with a real cell tower. In some cases, the device might force every phone in range to drop to a 2G connection. This may still allow 911 calls to take place, but almost any other form of communication will be impossible as long as the Stingray is in use.

Ron Wyden's staff technologist, Chris Soghoian (formerly of the ACLU), will be fielding answers from the DOJ and FBI about 911 service disruptions, if those answers ever arrive. Wyden's office has sent a letter [PDF] demanding to know the extent of cell service disruption when Stingrays are deployed. And he'd also like to know if these agencies are being honest about the negative side effects when agents seek warrants.

1. The Communications Act of 1934 prohibits willful or malicious interference with licensed radio communications. How is a federal law enforcement agency's use of a cell-site simulator not authorized by a court order consistent with the prohibition on interference with radio communications in 47 U.S.C. 333?

2. Is it the position of DOJ that a search warrant authorizing a federal law enforcement agency to use a cell-site simulator overrides the statutory prohibition on interference in 47 U.S.C. 333? If yes, please explain Why.

3. Does DOJ believe that it has an obligation under the duty of candor to notify federal courts considering an application for the use of a cell-site simulator that federal law prohibits interference with cellular communications? If not, please explain why.

4. Is it the position of DOJ that it is lawful, with or without a court order, for a federal law enforcement agency to interfere with licensed radio communications such that it disrupts a surveillance target's emergency cellular communications with 9-1-1? If yes, please explain why.

We'll see if Wyden gets his answers. The DOJ still has yet to answer similar questions Wyden asked last year, and there's little reason to believe its response time to questions it doesn't want to answer has improved since 2017.

There is evidence cell site simulators do interfere with 911 service, even if the US government has yet to admit it. A document obtained by the ACLU from the Royal Canadian Mounted Police clearly states cell site simulators have negative effects on emergency calls.

The MDI [Mobile Device Identifier] will shut itself off if a mobile within its range dials 911. However, recent testing at HQ revealed that more than 50% of the GSM mobile telephones tested had not automatically completed their 911 calls after the MDI had shut itself off.

This memo says the RCMP should inform judges of this possible side effect when seeking warrants and use a 3-minutes-on, 2-minutes-off cycle to minimize cell service disruption and overcollection of cell data from non-targets. If the DOJ has directed the FBI to engage in practices like these, it has yet to make that information public. From what little has been gleaned from public statements and begrudging answers to legislators and Congressional committees, the FBI's use of Stingrays appears to only be constrained by a warrant requirement that is merely the DOJ's internal policy, rather than codified by law.

California law does not allow state judges to sign off on warrants for federal agents, something that this particular FBI agent, Stonie Carlson, apparently did not know.

"But the two warrants were plagued by numerous errors, reflecting a pattern of systematic recklessness by law enforcement that militates in favor of suppressing the evidence (and against applying the 'good-faith exception' to the exclusionary rule)," US District Judge Vince Chhabria wrote in a July 3 order. "This ruling is published separately to put the relevant actors in the criminal justice system on notice that California law prevents state judges from issuing search warrants to federal law enforcement officers, which means that federal law enforcement officers are not permitted to execute such warrants."

The FBI put its Stingray to use to track cellphones used by people suspected of engaging in credit card fraud. The order [PDF] suppressing the evidence is an entertaining read -- one that doesn't pull any verbal punches excoriating the federal agents involved in this law-flaunting trip through a California courthouse.

FBI Agent Stonie Carlson brought two warrants to the Alameda County Courthouse -- one intimately familiar to the FBI. The judge signed off on the warrants despite state forbidding this practice. The FBI is also not allowed to use state judges for federal warrants, something Carlson apparently didn't know. As the order [PDF] points out, this ignorance alone might have been enough to salvage the warrants and evidence… if that's all there was to it.

A federal agent's mistaken belief that he could be issued a search warrant by a California state judge is likely not, on its own, a basis for suppressing evidence obtained during the search (at least before the publication of this ruling). That is arguably good faith negligence. But the two warrants were plagued by numerous errors, reflecting a pattern of systematic recklessness by law enforcement that militates in favor of suppressing the evidence (and against applying the "good faith exception" to the exclusionary rule).

But no good faith will be awarded here. Judge Chhabria wants to make it crystal clear no more of this "negligence" is welcome in his jurisdiction.

This ruling is published separately to put the relevant actors in the criminal justice system on notice that California law prevents state judges from issuing search warrants to federal law enforcement officers, which means that federal law enforcement officers are not permitted to execute such warrants.

As was noted earlier, state/county judges can issue certain warrants to federal and local law enforcement. But only local law enforcement is allowed to execute search warrants issued by local judges. If a federal agent wants to engage in a search or an arrest, they need to get their warrants approved by federal judges. The DEA's inability to follow California law has cost it a few cases over the years. The FBI is going to have the same problem if it doesn't train its agents correctly.

Even if it was a lapse in training, Judge Chhabria isn't interested in forgiving Agent Carlson for his agency's failings. This results in one of the harsher bench-slaps handed out to a federal agent.

At the evidentiary hearing, Carlson claimed that his decision to seek the warrants from state court judges, rather than a federal magistrate judge, was based partly on training his colleagues received from that office. This statement by Carlson may or may not accurately reflect whatever his colleagues learned or told him, since Carlson's general conduct in this case, as well as his testimony at the evidentiary hearing, shows that he is neither well-trained nor particularly concerned with complying with the law in conducting his enforcement activities.

The ruling isn't just issued for the FBI's benefit. It's also there to tell state judges to do their job correctly. But it cuts the judge in this case some slack, but only by suggesting Agent Carlson may have muddied the warrant water deliberately.

[T]he two state court judges who issued the warrants may have been unaware of the legal limits on Carlson's ability to insert himself into the state criminal justice system. The record is not clear on this point. As discussed in the separate unpublished ruling, although the state court judges likely should have known that Carlson was seeking authorization for himself and other federal officers to execute the searches, it is possible they were misled by the paperwork Carlson submitted to them.

The FBI is finally using warrants for Stingrays -- just as the DOJ stated back in 2015. Agents are just doing it as incorrectly as possible, which isn't a huge improvement. Considering the way this one was botched, Agent Carlson may as well have not even bothered filling out an affidavit.

Three years later, Senator Ron Wyden followed up on the issue. He sent a letter to the DHS asking if it was aware of these rogue Stingray-type devices and what is was doing about it. As was noted in the letter, the FCC had opened an inquiry into the matter, but nothing had ever come of it. As the agency tasked directly with defending the security of the homeland, Wyden wanted to know if anyone at the DHS was looking into the unidentified cell tower spoofers.

The agency’s response, obtained by The Associated Press from Wyden’s office, suggests little has been done about such equipment, known popularly as Stingrays after a brand common among U.S. police departments. The Federal Communications Commission, which regulates the nation’s airwaves, formed a task force on the subject four years ago, but it never produced a report and no longer meets regularly.

The DHS pointed out that its own investigation, which detected several devices during a 90-day trial using ESD America equipment, had dead-ended, supposedly because of a lack of funding

[Christopher] Krebs, the top official in the department’s National Protection and Programs Directorate, noted in the letter that DHS lacks the equipment and funding to detect Stingrays even though their use by foreign governments “may threaten U.S. national and economic security.”

The answers [PDF] are all of the "we saw something and said something" variety. Fine for what it is, but does nothing to move things forward. Whatever "anomalous activity" the DHS saw during its trial was passed on to other agencies, which have not forwarded anything to Wyden or numerous Congressional committees concerned with national security, airwave regulation, and oversight.

According to the AP report, security experts are pretty sure every foreign embassy has a cell tower spoofer in use. Whether they limit themselves to call data -- as our government agencies do -- is another matter. Stingray devices are capable of intercepting communications and deploying malware. Since embassies function as tiny foreign countries on host's soil, there's a good chance those deploying cell tower spoofers aren't all that concerned with following US law when putting these to use.

Unfortunately, we're no closer to solid answers than we were last winter… or, indeed, four years ago, when the initial report triggered an FCC investigation. Of course, we may never get to see the full answer. One possible reason for this lack of investigatory movement is this practice isn't limited to foreign entities in the US. We absolutely deploy the same hardware in any country we have an embassy, in addition to all the countries in which we maintain a military presence. No one wants to talk about our own actions overseas, much less possibly expose local law enforcement's routine use of Stingray devices. For now, all we have is a tepid admission that Stingrays our government doesn't own are in operation in Washington, DC. But that's all we need to know, apparently. Unfortunately, that's possibly all our national security oversight entities know either.

Continuing a sort of cross-country tour to detect phony cell towers, also known as interceptors or IMSI catchers, researchers associated with the security firm ESD America have detected 15 of the covert devices in Washington D.C., plus three more in nearby Virginia.

The company used their ultrasecure CryptoPhone 500 to search for the interceptors, which can compromise phones through baseband hardware and are believed to have a range of roughly 1 mile. ESD America's phones allegedly detected telltale signs of call interception in the vicinity of the White House, the Russian Embassy, the Supreme Court, the Department of Commerce, and the Russell Senate Office Building, among other landmark buildings.

Since then, not much has changed. Or if it has, no updates have been issued. Apparently, the fake cell towers are still there and in use, unmolested by local law enforcement or federal agencies. Ron Wyden would like someone to do something about it and has sent a letter [PDF] to DHS Under Secretary Christopher Krebs, asking the agency to look into it.

In 2014, security researchers reported that they detected a number of IMSI catchers in the National Capital Region, which they suggested may have been operated by foreign governments. The Federal Communications Commission (FCC) subsequently established a task force to investigate the threat posed by foreign governments and criminals using IMSI catcher technology. Unfortunately, the FCC has yet to issue any public findings or guidance since then.

Whether foreign intelligence services and criminals are using IMSI catchers to spy on senior members of the US. government is undoubtedly a question worth answering. Foreign government surveillance of senior American political and business leaders would obviously pose a significant threat to our country's national and economic security.

Wyden would like to know if the DHS has seen any firsthand evidence of these tower spoofers and if it has provided any of this info to Congressional committees. He also wants to know if the DHS has the technology to detect and locate these IMSI catchers and, if not, wants to know what it needs to begin the hunt for foreign surveillance devices.

Certainly the DHS has the tech to do its own cell tower spoofing. A recent FOIA request by Buzzfeed found the DHS has been deploying Stingray devices about once a day for the last three years. A cell tower spoofer isn't the best tool for detecting other cell tower spoofers, but it could turn into a DC-based Spy vs. Spy operation, with the DHS running its equipment to locate competitors' foreign-owned equipment, with the inherent escalation that scenario implies.

The thing about cell tower spoofers is they can be used to intercept communications. That functionality is available, although we have yet to see (acknowledged) use of Stingray devices to eavesdrop here in the US. The tacit agreement to limit Stingray use to locating cell phones is not without its own issues, but there's no agreement, unspoken or otherwise, limiting foreign entities from intercepting phones calls and text messages with their devices. (Undoubtedly, any cell tower "listening posts" deployed by the US in other countries would be similarly unaffected by voluntary limitations on domestic deployment.)

If answers are given to Wyden, it's highly doubtful we'll see them. US agencies are still completely uncomfortable discussing their own tower spoofers. Evidence of communications interception by foreign agencies will likely be buried under black ink and discussed behind closed doors.

The Texas National Guard last year spent more than $373,000 to install controversial cellphone eavesdropping devices in secretive surveillance aircraft.

Maryland-based Digital Receiver Technology Inc., or DRT, installed two of its DRT 1301C “portable receiver systems” in National Guard aircraft in partnership with the Drug Enforcement Administration, according to a contract between the Texas National Guard and the company. The contract states that the dirt boxes, as they’re often called after the company’s acronym, are for “investigative case analytical support” in counternarcotics operations and were purchased using state drug-asset forfeiture money.

These aren't the first DRT boxes to be exposed via public records requests. Law enforcement agencies in Chicago and Los Angeles are also deploying these surveillance devices -- with minimal oversight and no public discussion prior to deployment. The same goes for the US Marshals Service, which has been flying its DRT boxes for a few years now with zero transparency or public oversight.

The same goes for the National Guard in Texas. There doesn't seem to be any supporting documentation suggesting any public consultation in any form before acquisition and deployment. Not only that, but there's nothing in the documents obtained that clarifies what legal authority permits National Guard use of flying cell tower spoofers.

[T]he Texas National Guard is a military force under the governor’s command, not law enforcement. It’s unclear under what legal authorities the State Guard would be operating to conduct electronic eavesdropping. In 2015, the Justice Department issued guidelines for federal law enforcement agencies requiring that a probable cause warrant be obtained from a judge before using such technology. The Texas National Guard refused to explain to the Observer what steps, if any, it takes to secure a warrant prior to deploying the devices, or where the dirt boxes are being used.

No one knows what guidance the National Guard is operating under, much less what it does with all the cell phone data it hoovers up. It's a black hole and the National Guard refuses to discuss it. While it's undoubtedly true some law enforcement methods need to be kept under wraps, this doesn't mean agencies -- especially those like the National Guard which only play a supporting role in some law enforcement activities -- should deploy mass surveillance tools without some public discussion. Concerns definitely need to be addressed when a military agency gets into the domestic law enforcement business.

Court of Queen's Bench Justice Glen Poelman initially agreed with defence lawyers Kelsey Sitar and Clayton Rice and granted them the right to question the CPS officer involved in using the MDI regarding its make, model, features and the circumstances that may or may not affect its use.

Unfortunately, prosecutors were able to sway the judge's opinion during an in camerabriefing. The government invoked part of the Canada Evidence Act, granting it an apparent disclosure exemption on the theory handing over make and model information would be "contrary to the public interest."

Poelman has ruled the police investigative techniques are privileged, and he prohibited the release of the make, model and software of the MDI as well as "any further information which would have the effect of disclosing the technique by which MDI obtains cellphone identifier information."

This may end the line of discovery as it relates to law enforcement's IMSI catchers, but it doesn't necessarily mean the prosecution will be able to move forward. The defense plans to challenge the lawfulness of the prosecution itself. Withholding evidence possibly crucial to the defense doesn't make for a fair trial and it appears the defense will argue charges should be dropped if information isn't going to be produced. It's not like there isn't any precedent to work with. Earlier this year, the government chose to let 35 accused Mafia members go free rather than discuss Stingray use in court.

Clayton Rice, who is representing one of the accused in this case, has graciously sent over a copy of the court's ruling [PDF] on the issue. (This ruling was under a publication ban until mid-morning Tuesday.) Rice points out this is only an interim ruling and doesn't necessarily represent the final word on the subject. The court has granted the government the (possibly temporary) right to withhold certain information about its cell tower spoofers, which includes its make and model. The order is heavily redacted, which is one of the reasons it's only now being released despite having been decided back in August.

What can be sussed out from the redacted discussion is that the Calgary Police do not possess an actual Stingray -- the sort made by Harris Corp. That much is made clear in the ruling. The method used for tracking phones is also withheld, even though the technique used by the CPS has apparently been discussed publicly before. But you won't be able to find that information in the court's decision.

[I]t could be argued that all elements of CPS's MDI investigative techinique are publicly known. However, the Crown argues that it is not known that the CPS's MDI uses the [redacted] method, and the fact that information about the [redacted] procedure may be publicly accessilbe is not the same (especially in the internet age) as a police service verifying is accuracy or confirming publicly that this is the procedure they use. It is not necessarily well-known. The only public information about which Sgt. Campbell is aware that discussed the [redacted] technique is the [very lengthy redaction to end of paragraph.]

For the time being, however, the Calgary Police's cellphone interception hardware will remain a mystery. The question now is whether that desire for secrecy will cost the Crown its prosecution.

“Given recent media events my inspector has asked that I make an official request … for an authorization,” writes a member of the Calgary Police Electronic Surveillance Team on April 6 of this year. “There is some urgency to try and get this authorization in place as we are currently using the device.”

The device in question is an International Mobile Subscriber Identity-catcher — known more commonly as an IMSI catcher, a Mobile Device Identifier, or by the brand name Stingray.

The Calgary Police join the rest of the nation's police forces in the officially un-admitted to use of Stingray devices. The Royal Canadian Mounted Police is the only agency to actually hold a press briefing to announce its use of the controversial devices. All other admissions have been dragged out of agencies, either through court filings or through public records requests.

Perhaps sensing the government's regulators might have a problem with a bunch of unregulated signals, Canadian law enforcement agencies are obtaining "just in case" authorization, even as they state there's nothing legally preventing them from deploying the devices without the Innovation, Science and Economic Development agency's (Canada's FCC equivalent) approval.

In the RCMP’s letter, they argue that ISED doesn’t actually need to approve their IMSI catcher. Nevertheless, they submitted an application.

“The RCMP was first made aware of ISED views on the RCMP’s use of [IMSI catchers] through media coverage in late March 2016,” they RCMP wrote, in requesting “timely” approval to keep using the devices. A second letter, this time from the Ontario Provincial Police, similarly requests permission to use the devices — so similar, in fact, it is nearly word-for-word for the RCMP’s earlier request.

Whether ISED will see post-dated requests as a sign of good faith remains to be seen. But there's no way cops are going to stop deploying Stingrays until proper authorization is obtained. And the top name in IMSI catchers is probably assisting agencies in keeping these devices up and running, even if it might mean playing fast and loose with the facts when asking for approval.

Stingrays are the law enforcement's worst-kept secret -- on both sides of the border. A steady flow of documents that traces all the way back to a person imprisoned for tax crimes has resulted in plenty of public discussion about the privacy implications of cell tower spoofers… but very little in the way of published policies or judicial guidance. Only a couple of US courts have reached the conclusion Stingray deployments are Fourth Amendment searches. On the other side of the border things are just as unsettled.

This isn't a failure of the court system. Instead, it's the result of Stingray best practices -- directly encouraged by federal law enforcement agencies like the FBI: let suspects walk rather than discuss the devices in court. But it's inevitable that more and more info on Stingray use will be divulged in court. And it all starts with paper trails like these belated requests for regulatory clearance.

from the little-more-Fourth-for-cellphone-users dept

In the 39-page ruling, US District Judge Phyllis Hamilton notably found that the use of stingray to find a man named Purvis Ellis was a "search" under the Fourth Amendment—and therefore required a warrant.

The DOJ -- despite issuing its own guidance requiring warrants for Stingrays in 2015 -- argued in court earlier this year that no warrant was needed to deploy the Stingray to locate a shooting suspect. It actually recommended the court not reach a conclusion on the Fourth Amendment implications of Stingray use, as it had plenty of warrant exceptions at the ready -- mainly the "exigent circumstances" of locating a suspect wanted for a violent crime.

Unfortunately for the federal government (and all other law enforcement agencies located in the court's jurisdiction), the court declined the DOJ's offer to look the other way on Constitutional issues. It found a Stingray's impersonation of cell tower to obtain real-time location information is a search under the Fourth Amendment.

The court adopts Judge Koh’s reasoning in In re Application for Telephone Information, 119 F. Supp. 3d at 1026, to hold that cell phone users have an expectation of privacy in their cell phone location in real time and that society is prepared to recognize that expectation as reasonable. While Judge Koh limited her analysis to the privacy interest in historical CSLI, the court determines that cell phone users have an even stronger privacy interest in real time location information associated with their cell phones, which act as a close proxy to one’s actual physical location because most cell phone users keep their phones on their person or within reach, as the Supreme Court recognized in Riley. In light of the persuasive authority of Lambis, and the reasoning of my learned colleagues on this court recognizing a privacy interest in historical cell site location information, the court holds that Ellis had a reasonable expectation of privacy in his real-time cell phone location, and that use of the Stingray devices to locate his cell phone amounted to a search requiring a warrant, absent an exception to the warrant requirement.

The court also has something to say about the FBI/Oakland PD's use of a pen register order as a stand-in for a warrant specifically detailing the type of device to used to obtain these so-called "phone records."

The government contends that since the Stingray devices used in this case were configured in compliance with the pen register statute, then the provisions of the pen register statute, including the “emergency” provisions, govern their operation. Doc. no. 321 at 9 (citing 18 U.S.C. § 3125). The government does not address the key issue in dispute, namely, whether the provisions of the pen register statute and the SCA provide the appropriate standard for using a CSS to locate a cell phone in real-time. The court follows Judge Illston’s determination in Cooper, 2015 WL 881578, that the provisions of the pen register statute and the SCA do not authorize the use of a CSS to disclose realtime information about a cell phone user’s physical location, and that such location monitoring must be authorized by a showing of probable cause.

It also points out the DOJ's reliance on the Stored Communications Act to salvage its warrantless Stingray use is misplaced -- something that could be gathered by the name of the statute.

[C]ongress intended that the SCA “was to be used as a means to obtain data which has already been stored at the time the government seeks to obtain it,” as opposed to real-time data.

Ultimately, though, the court denies the suppression of the evidence, allowing the government's "exigent circumstances" argument to prevail. This may prove to be a good thing in the long run (although it does little for the defendant). Allowing the government to keep its evidence gives it no reason to appeal the decision. And this decision implements a warrant requirement for obtaining real-time cell site location info and gives certain third-party records an expectation of privacy.